The recent hack of the Gawker network has left a question in my mind. If I had an account at Gawker, I would protect myself by changing my passwords at all the other identity providers where I use the same or a related password.

What should I be doing when my OpenID id provider is hacked?

I use this account to log in basically everywhere and I'm not at all sure how I would go about protecting myself when this account is compromised.

This question came from our site for computer enthusiasts and power users.

1

...I would protect myself by changing my passwords ... where I use the same or a related password. - why wait until the horse has bolted? Don't use the same password in more than one place; use some hashing mechanism (or browser plugin, etc) to get unique pw's per site, or at the very least just add the first few letters of each site's domain (or some other modification that you'll remember!) to the end of your "normal" password to make it a little more unique on each site.
– DMA57361Dec 14 '10 at 9:12

1

I am sorry, this isn't really what I asked. I'm more interested in how you would protect yourself if your openid gets compromised, where you don't have a password per website.
– Pieter BreedDec 14 '10 at 9:32

@Pieter - I realise this, which is why I made a comment not an answer; needing to change passwords because of one malicous or incompenent service is something users shouldn't need to do - and I tend to try and politely argue the counterpoint whenever it is mentioned.
– DMA57361Dec 14 '10 at 9:38

2

I have set up my tiny website with OpenID delegation, so switching OpenID providers would take just a few changes in index.html.
– grawityDec 14 '10 at 10:21

Also, the hosting for your personal URL with redirection could be cracked, and the redirection rewritten. Is that also a threat? Couldn't the redirection page be somehow signed with a private key/certificate (issued by a trusted CA) to prevent such an attack?
– imz -- Ivan ZakharyaschevMar 21 '13 at 22:54

Although it's primarily a layer of obfuscation ("security through obscurity is no security at all", etc.), http://blog.woobling.org/2009/05/your-openid-sucks.html tells you how to simply set up your own OpenID delegation through a URL of your choice. While this will not prevent someone who cracks your actual OpenID provider from making use of your credentials, it still does provide two actual benefits in that case:

1) It conceals your actual OpenID provider's identity, making it less obvious to an attacker whether you're using the compromised service or not. While this concealment is easily penetrated, it's an extra step that they'd have to go through to determine whether your account is affected, which will keep you safe from attackers making use of bulk exploits. (If everybody else's door is unlocked, even a trivial lock will keep thieves at bay.) You'd then only need to worry about attackers who are specifically targeting you.

2) If your OpenID provider is cracked, you can trivially switch your delegation at any time to a different provider who, hopefully, has not been compromised. This still leaves you vulnerable until you learn of the incident and change to the new provider, but, once you change it over, your OpenID-based accounts will once again be secure without needing to visit all of the sites you use OpenID with.

Also, the hosting for your personal URL with redirection could be cracked, and the redirection rewritten. Is that also a threat? Couldn't the redirection page be somehow signed with a private key/certificate (issued by a trusted CA) to prevent such an attack?
– imz -- Ivan ZakharyaschevMar 21 '13 at 22:53

So, then the plan would need: how to know where one used the OpenID account, and how to change that? The Stack Exchange sites allow for using multiple OpenID accounts, which also actually adds support to change the provider without creating a new account. I'm not sure how many other sites support that.
– ArjanDec 14 '10 at 10:12